Wisdom of keeping PHP scripts embedded when submitting forms

Report · Aug 19, 2009

I was wondering if it would be more secure if the php scripts I'm using to insert user names and contact info into my database would be more secure if the code was moved to a new page called insrtRecord.php and the form action were changed from action="<?php echo $editFormAction; ?>" to action="/Scripts/insrtRecord.php"

The page was constructed entirely with Dreamweavers built in behaviors so all the code is right there in the contact page for anyone to look at.

I'd then password protect the Scripts directory that contained the insrtRecord.php file to keep it from prying eyes.

Thanks for your advice.

Report · Aug 19, 2009

I'm not sure I am following you. If it's a server side script, then what is there for prying eyes to see? If the script is all php, they will see nothing in the source code. Also, if you place the script in a password protected folder, won't it prompt for the password on execution?

Report · Aug 21, 2009

The question came to mind when I was in an office of a guy that specialized in SEO. He took a look at my site, checked the code, and I was sure that I saw some PHP tags pop up.

My Connections folder with the database un and pw is in a protected directory and there's never a call to put in a password when a page connects to the MySql database. This leads me to believe that I can protect all my PHP scripts.

Since no one has responded I think I'll give it a try using includes. This may make my coding a lot easier.

Thanks for the reply.

Report · Aug 21, 2009

As it's already been mentioned; server side scripts are processed on the server and can not be seen on a visited page. There's no need to put your connection file or any other script in a password-protected directory. Which makes me wonder what field your community expertise is in?

Report · Aug 22, 2009

Expert in Video... Maybe the community expert tag should include the areas of expertise... After Effects, Photoshop, Premiere... new to php and content managed web development.

BTW.. The suggestion to put your connections in a protected folder was found all over the web and in several tutorials that I watched on PHP security issues.

Report · Aug 21, 2009

>He took a look at my site, checked the code, and I was sure that I saw some PHP tags pop up.

Rick, if you did see a tag then it must have been due to a misconfigured script. Any valid php will be parsed on the server and not sent to the client.

>My Connections folder with the database un and pw is in a protected directory

>and there's never a call to put in a password when a page connects to the MySql database.

>This leads me to believe that I can protect all my PHP scripts.

But connection scripts are referenced using includes which is different than what you originally suggested. I'm not saying it won't work, I really don't know. But it's easy to test and if it works I don't see any harm in adding another layer of security.

Report · Aug 22, 2009

You're right about the tag being visible... It wasn't closed and for some reason didn't show up on the page.

I'm pushing all of my php code for sending confirmation and notification e-mails and updating the database to an includes folder so that it's easier to put it on separate pages.

I've also put header and footer info in includes. I'm loving this technique much more than using library items. Only one thing to change and sync instead of changing a library item that could change hundreds of pages on the site that would have to be re-synced.

Thanks for the comments

Adobe Community

Wisdom of keeping PHP scripts embedded when submitting forms